I agree with Ari.
There is a security consideration hiding here, though....
If someone has authenticated themselves on a realm corresponding to
http://host/dir1, the browser should not try to present those
credentials to authenticate themselves at http://host/dir2.
(i.e. should limit themselves to the same region of namespace
that the first realm was observed for).
Otherwise, one will be presenting a username and password to
potentially a different agent that may then capture and/or attack
using it (particularly for basic, not one of the world's best
security mechanisms).
I don't remember any such security consideration in the current document.
- Jim